I'm not claiming that Threefish is secure and ready for commercial use -- at any keylength -- but there simply isn't a chance that encryption speed will drop by half for every key bit added.

If I understand things correctly, "Skein" (with Threefish at it's core) was an SHA3 candidate. So I expect that Threefish has seen some cryptanalysis since 2009.

Can you tell me if Threefish has successfully been attacked yet (either practically or theoretically) and point me to the related paper(s) so I can learn about those attacks and related security implications?

If you're looking for a tweakable blockcipher also take a look at BLAKE2's underlying blockcipher.
–
orlpNov 13 '13 at 18:25

@nightcracker This one, right? I have that one on my to-do list already, so you can expect some questions about the BLAKE2 algorithm later on.
–
TrinaNov 13 '13 at 18:34

@CodesInChaos Thank you. That was exactly what I was looking for. But now I am wondering: how can I accept your comment as an answer (or doesn't it work that way)?
–
TrinaNov 13 '13 at 18:40

What research have you done? Have you done a literature search? We expect you to make some effort to find out the answer on your own before asking, and to show what you've tried so far.
–
D.W.Nov 14 '13 at 6:07

2 Answers
2

Full disclosure — I'm a Skein/Threefish co-author. Also, when I mention Skein/Threefish without any other qualification, I mean Skein/Threefish-512.

The security proofs we did for Skein prove that if there's a weakness in Skein, it implies an underlying weakness in its components (Threefish or UBI). As Dmitry says above, Threefish is very strong, and there are very few attacks on it. I don't know of one that's better than the 35-round attack we mention in V1.3 of the paper.

Our goal in Skein was that we know a lot more about designing block ciphers than hash functions so we'd build a strong hash function by starting with a strong cipher. Threefish builds on Twofish, (P)Helix, and other things. The philosophy was lots of fast rounds, and that has held up.

Enough time has passed that I'm starting to use Threefish in some of my own work. I think it's a very good way to go because tweakability is a powerful feature. If you are interested, also look at McOE mode which can turn a cipher into an authenticated function, and is designed to be resistant to misuse. It is built with AES and Threefish as examples, and I think Threefish in McOE mode is powerful.

Pure Threefish has received less attention than Skein. Shortly speaking, it has a large security margin, and can be safely used for encryption.

In more details, Threefish has been tweaked twice. The first two versions were vulnerable to rotational cryptanalysis in weak models (related-key attacks or distinguishers) up to 57 rounds. All these attacks are impractical.

The last version of Threefish is quite strong. Even in weak models the best attacks hardly penetrate half of the cipher.

Quite surprisingly, there is no key-recovery attack even on a reduced-round version of Threefish. SHA-3 Zoo is misleading here: the key recovery attacks from its list work in the related-key model. Nevertheless, I would expect that the meet-in-the-middle attack enhanced with bicliques could penetrate up to 20-25 rounds.